Hello list, I have a question about OSSEC log file monitoring . I have configured OSSEC to monitor a file log which I populate with the output of a script. I have also created accompanying decoder and alert rules. Every configuration works as expected , but there is a strange problem, that OSSEC misses on some entries like losing events.
For example : if we have 10 entries of the same event , Ossec may have missed 2 or 3 out of them . Also this seems to be a frequency problem . For example If I add each entry with a delay between them , a couple of secs , OSSEC catches all of them .But if I enter them all at once, as the script does , OSSEC misses some of them. Is there a way to check how OSSEC reads the log file and why it misses some of the entries ? I have to note that the log file does not have a date for each entry , as I am not interested as to when the event happened , but rather if the event repeated x times . Thank you
